Analysis
-
max time kernel
98s -
max time network
102s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
25/08/2024, 09:35
Static task
static1
Behavioral task
behavioral1
Sample
295299302ec143fc2fe88953f8d18f50N.exe
Resource
win7-20240704-en
General
-
Target
295299302ec143fc2fe88953f8d18f50N.exe
-
Size
138KB
-
MD5
295299302ec143fc2fe88953f8d18f50
-
SHA1
a9109560d19576b54f3b91ef3a14dbcf140b9308
-
SHA256
fa388a99f5a0f3e29032a08e856a64fca0948ee0e9c7af6f99f47cd547aa7a88
-
SHA512
8c5d17dda092f6db3e2def15d33ad9be7f138fdbb43f0d53d070f56f67c65722de61669357763620edf6eabc83e9870c19fd03b30d7a19d01979c1871226008a
-
SSDEEP
3072:r7YubEwYXRWhpAJUHhzm4hUukS6KmecVW:oubkXRWhpAuhzm4hLkS6KmNW
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 636 smss.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\1230\smss.exe 295299302ec143fc2fe88953f8d18f50N.exe File opened for modification C:\Windows\SysWOW64\1230\smss.exe smss.exe File opened for modification C:\Windows\SysWOW64\Service.exe smss.exe -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4960 sc.exe 2692 sc.exe 756 sc.exe 1420 sc.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 295299302ec143fc2fe88953f8d18f50N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4964 295299302ec143fc2fe88953f8d18f50N.exe 636 smss.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 4964 wrote to memory of 4960 4964 295299302ec143fc2fe88953f8d18f50N.exe 84 PID 4964 wrote to memory of 4960 4964 295299302ec143fc2fe88953f8d18f50N.exe 84 PID 4964 wrote to memory of 4960 4964 295299302ec143fc2fe88953f8d18f50N.exe 84 PID 4964 wrote to memory of 2692 4964 295299302ec143fc2fe88953f8d18f50N.exe 86 PID 4964 wrote to memory of 2692 4964 295299302ec143fc2fe88953f8d18f50N.exe 86 PID 4964 wrote to memory of 2692 4964 295299302ec143fc2fe88953f8d18f50N.exe 86 PID 4964 wrote to memory of 636 4964 295299302ec143fc2fe88953f8d18f50N.exe 88 PID 4964 wrote to memory of 636 4964 295299302ec143fc2fe88953f8d18f50N.exe 88 PID 4964 wrote to memory of 636 4964 295299302ec143fc2fe88953f8d18f50N.exe 88 PID 636 wrote to memory of 756 636 smss.exe 89 PID 636 wrote to memory of 756 636 smss.exe 89 PID 636 wrote to memory of 756 636 smss.exe 89 PID 636 wrote to memory of 1420 636 smss.exe 91 PID 636 wrote to memory of 1420 636 smss.exe 91 PID 636 wrote to memory of 1420 636 smss.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\295299302ec143fc2fe88953f8d18f50N.exe"C:\Users\Admin\AppData\Local\Temp\295299302ec143fc2fe88953f8d18f50N.exe"1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe stop SharedAccess2⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:4960
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe stop wscsvc2⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2692
-
-
C:\Windows\SysWOW64\1230\smss.exeC:\Windows\system32\1230\smss.exe -d2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:636 -
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe stop SharedAccess3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:756
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe stop wscsvc3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:1420
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
138KB
MD57cc6904064d2fbb8f30f97f37322115f
SHA13294435c4203a8f7b379ba71682a4631c9fd5a64
SHA256fc1e23cc0fa24a2f3ab241043700602dc0561d9902b6c8cb44ac97d636d94eaf
SHA512ca05e3e26ebf523e21847c49b353844de0861e82c9edc1d4bb31b25480387063779c91e2084e2388223e353edc5aec009485d1dbff9118d48f0aba4038552252